All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SoS-TA clustered search peer deploy - incorrect scripted input path error

NGRhodes
Explorer
‎01-08-2015 03:37 AM

I deployed the SoS-TA package by placing it in on our custer master in /opt/splunk/etc/master-apps directory and deploying from the Web UI.

I noticed the following error after enabling the inputs:

01-08-2015 11:19:08.762 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh" /bin/sh: 1: /opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh: not found

The fix
Simply clone the 3 scripted inputs from SoS-TA and recreate the correct path eg:

 /opt/splunk/etc/apps/TA-sos/bin/ps_sos.sh

Becomes:

 /opt/splunk/etc/slave-apps/TA-sos/bin/ps_sos.sh

Have I deployed this incorrectly or is it a bug in the the package deployment mechanism ?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-08-2015 03:47 PM

This is pretty strange and very unexpected as the S.o.S technology add-on has been specifically validated to work in an indexer cluster environment, deployed from the cluster master just as you described.

Do you maybe have a pre-existing copy of "TA-sos" under $SPLUNK_HOME/etc/apps on the cluster peers? If so, you should remove that version and allow the one under $SPLUNK_HOME/etc/slave-apps to be the only copy of this TA present on the cluster peers.

Don't forget to enable the scripted inputs in $SPLUNK_HOME/etc/master-apps/local/inputs.conf on the Cluster Master before pushing out the TA!

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎01-08-2015 03:47 PM

This is pretty strange and very unexpected as the S.o.S technology add-on has been specifically validated to work in an indexer cluster environment, deployed from the cluster master just as you described.

Do you maybe have a pre-existing copy of "TA-sos" under $SPLUNK_HOME/etc/apps on the cluster peers? If so, you should remove that version and allow the one under $SPLUNK_HOME/etc/slave-apps to be the only copy of this TA present on the cluster peers.

Don't forget to enable the scripted inputs in $SPLUNK_HOME/etc/master-apps/local/inputs.conf on the Cluster Master before pushing out the TA!

Reply
Solved! Jump to solution

NGRhodes
Explorer
‎01-12-2015 02:01 AM

I did originally copy to the wrong location, looks like there were some leftovers that splunk was picking up 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...